Miggo Logo
Miggo Vulnerability Database
CVE-2008-4094

CVE-2008-4094:
Rails ActiveRecord gem vulnerable to SQL injection

7.5

CVSS Score

Basic Information

CVE ID
CVE-2008-4094
GHSA ID
GHSA-xf96-32q2-9rw2
EPSS Score
0.85741%
CWE
CWE-89
Published
10/24/2017
Updated
11/8/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
activerecordrubygems< 2.1.12.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows the vulnerability stemmed from unsanitized interpolation of :limit/:offset in add_limit_offset!. The abstract implementation and MySQL adapter override both lacked input validation. The patch introduced sanitize_limit and offset.to_i to mitigate this. The CVE description explicitly cites these parameters as attack vectors, and the fixes directly target these functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Multipl* SQL inj**tion vuln*r**iliti*s in Ru*y on R*ils ***or* *.*.* *llow r*mot* *tt**k*rs to *x**ut* *r*itr*ry SQL *omm*n*s vi* t** (*) `:limit` *n* (*) `:o**s*t` p*r*m*t*rs, r*l*t** to **tiv*R**or*, **tiv*Support, **tiv*R*sour**, **tionP**k, *n* *

Reasoning

T** *ommit *i** s*ows t** vuln*r**ility st*mm** *rom uns*nitiz** int*rpol*tion o* :limit/:o**s*t in ***_limit_o**s*t!. T** **str**t impl*m*nt*tion *n* MySQL ***pt*r ov*rri** *ot* l**k** input v*li**tion. T** p*t** intro*u*** s*nitiz*_limit *n* o**s*t